CVE-2026-4404
Received Received - Intake
Hardcoded Credentials in GoHarbor Harbor Allow Unauthorized Access

Publication date: 2026-03-23

Last updated on: 2026-03-24

Assigner: CERT/CC

Description
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4404
EUVD
EUVD-2026-14455
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
goharbor harbor 2.15.0
goharbor harbor to 2.16.0 (exc)
goharbor harbor to 2.15.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1393 The product uses default passwords for potentially critical functionality.
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4404 is a vulnerability in GoHarbor Harbor versions 2.15.0 and below where hardcoded default credentials are used. This means that the software includes a default admin password that is set in the configuration and does not require the user to change it upon installation or first login.

Because the default password is stored in plaintext and not enforced to be changed, attackers can easily use this known password to gain unauthorized access to the Harbor web user interface.

This vulnerability arises from the use of default passwords that are widely known and can be exploited to bypass authentication, leading to unauthorized administrative access.

Impact Analysis

The impact of this vulnerability is that attackers can gain unauthorized access to the Harbor web UI by using the default hardcoded admin password.

This unauthorized access can lead to privilege escalation, allowing attackers to perform administrative actions within the Harbor container registry.

Such access could compromise container images, configurations, and potentially the security of the entire container deployment environment.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if the Harbor installation is using the default hardcoded admin password, which is stored in plaintext within the system's configuration files."}, {'type': 'paragraph', 'content': "One way to detect it is to inspect the Harbor configuration file (typically harbor.yml or similar) for the presence of the default password value (e.g., 'Harbor12345')."}, {'type': 'paragraph', 'content': 'Commands to check for default credentials might include searching for the default password string in configuration files, for example:'}, {'type': 'list_item', 'content': "grep -r 'Harbor12345' /path/to/harbor/config/"}, {'type': 'list_item', 'content': 'cat /path/to/harbor/config/harbor.yml | grep harbor_admin_password'}, {'type': 'paragraph', 'content': 'Additionally, monitoring login attempts to the Harbor web UI for use of default credentials or scanning for open Harbor web UI endpoints could help identify vulnerable instances.'}] [2, 4]

Mitigation Strategies

To mitigate this vulnerability, immediately change the default admin password to a strong, unique password.

If you are installing or upgrading Harbor, use version 2.16.0 or later, which enforces interactive password setting during installation and removes the hardcoded default password.

If you have an existing installation on version 2.15.0 or below, manually update the admin password in the Harbor configuration and restart the service.

  • Edit the harbor.yml configuration file to set a secure admin password.
  • Run the Harbor installer script and provide a strong password when prompted.

Additionally, restrict access to the Harbor web UI to trusted networks and monitor for unauthorized login attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4404. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart